hide command usage argument on browser of shell_ex

2019-07-27 14:16发布

问题:

I make the traceroute web based. I use shell_exec to execute the process and show the output via browser. I have problem with the first I call the page on browser. There is usage of tracert command show. I try to hide it by place the script inside the function. yes, it works but another element like map when I start load the page doesn't show. Here is my php code :

<html>
<head>
<title></title>
<body>
<?
$host  = @$_POST['host']; 
$trace = @$_POST['trace'];
$self  = $_SERVER['PHP_SELF'];
?>
...
        <form name="tools" action="<?php $self ?>" method="post">
    <p><font size="2">Your IP is <?php $ip ?> </font></p>
    <input type="text" name="host" value=""></input>
    <input type="submit" name="trace" value="Traceroute!"></input>
    </form>
    <?php
    if ($_POST['submit']) 
{
    if (($host == 'Enter Host or IP') || ($host == "")) {
        echo '<br><br>You must enter a valid Host or IP address.';
        exit; } 

    if(eregi("^[a-z]",  $host))
    {
        $host_name = $host;
        $host_ip = gethostbyname($host);
    }
    else
    {
        $host_name = gethostbyaddr($host);
        $host_ip = $host;
    } 
}
    $host= preg_replace ("[-a-z0-9!#$%&\'*+/=?^_`{|}~]","",$host);
    $command = "tracert $host";
    $fp = shell_exec("$command 2>&1");
    $output .= (htmlentities(trim($fp)));
    echo "<pre>$output</pre>";
    echo '<br/>'; 
?>
...

</body>
</html>

And the html code (browser output) :

'''
<form name="tools" action="" method="post">

    <p><font size="2">Your IP is  </font></p>

    <input type="text" name="host" value=""></input>

    <input type="submit" name="trace" value="Traceroute!"></input>

    </form>

    <pre>Usage: tracert [-d] [-h maximum_hops] [-j host-list] [-w timeout] 
               [-R] [-S srcaddr] [-4] [-6] target_name

Options:
    -d                 Do not resolve addresses to hostnames.
    -h maximum_hops    Maximum number of hops to search for target.
    -j host-list       Loose source route along host-list (IPv4-only).
    -w timeout         Wait timeout milliseconds for each reply.
    -R                 Trace round-trip path (IPv6-only).
    -S srcaddr         Source address to use (IPv6-only).
    -4                 Force using IPv4.
    -6                 Force using IPv6.</pre><br/> <script type="text/javascript">

    var pinImage = new google.maps.MarkerImage ("http://chart.apis.google.com/chart?chst=d_map_xpin_letter_withshadow&chld=pin_star|%E2%80%A2|CC3300|000000|FF9900",

        new google.maps.Size (70, 83),

        new google.maps.Point (0,0),

        new google.maps.Point (10,34));

    var pinShadow = new google.maps.MarkerImage ("http://chart.apis.google.com/chart?chst=d_map_pin_shadow",

        new google.maps.Size (89, 85),

        new google.maps.Point (0, 0),

        new google.maps.Point (12, 35));



    function initialize() {

    var myLatlng = new google.maps.LatLng(38.822591, 150.46875);

    var myOptions = {

    zoom: 2,

    center: myLatlng,

    mapTypeId: google.maps.MapTypeId.ROADMAP,

    }

    var map = new google.maps.Map(document.getElementById("map_canvas"), myOptions);
        }
...

All I need is to hide the help usage of traceroute like in my html code. So when I first load the page, it just show the text field, button and map without that usage of tracert. I really need your help as soon as possible. Big thanks.

回答1:

Instead of shell_exec, use exec. You can supply the command, a variable to receive the output, and a variable to receive the status instead of catching it all in the return of exec.

http://www.php.net/manual/en/function.exec.php

Also, please use escapeshellcmd and escapeshellarg for sanitizing your commands, http://www.php.net/manual/en/function.escapeshellcmd.php.



回答2:

Consider what these two lines do:

$host= preg_replace ("[-a-z0-9!#$%&\'*+/=?^_`{|}~]","",$host);
$command = "tracert $host";

You may find it instructive to print the value of $host immediately before running your command. You've stripped out all numbers and letters from your hostname -- what exactly do you intend to look up?

I can appreciate that you're aggressively stripping the input to try to avoid a shell command injection vulnerability.

Instead of stripping characters you should instead keep specific characters. Keep only [a-z0-9:.-]. (I don't know the best way to express this in PHP. Within the brackets the . means only .. Keep that meaning in whatever tool you use.) (The : is for IPv6 hosts with numeric names. Feel free to ditch it if you don't want to allow IPv6.)



回答3:

If I understand the actual question, you just don't want to run and output your command when there is no input. You already have

if ($_POST['submit']) 
{

Just move its closing } down past that code:

       $host_ip = $host;
    } 
// removed from here
    $host= preg_replace ("[-a-z0-9!#$%&\'*+/=?^_`{|}~]","",$host);
    $command = "tracert $host";
    $fp = shell_exec("$command 2>&1");
    $output .= (htmlentities(trim($fp)));
    echo "<pre>$output</pre>";
    echo '<br/>'; 
} //added here

That seems cleaner to me than using JS, but the JS is easy enough too. Just google for "js hide / unhide"